Public bug reported: Heap Out Of Bound Read
A variant of https://bugs.launchpad.net/ubuntu/+source/dmg2img/+bug/1835463 at another position. 324 parts[i].Data = (char *)malloc(0x28 * mishblk.BlocksRunCount); 325 if (!parts[i].Data) 326 mem_overflow(); // dmg2img doesn't check if mish_bgin contains enough data. In this case BlocksRunCount is a large value, and read 327 memcpy(parts[i].Data, mish_begin + 0xCC, 0x28 * mishblk.BlocksRunCount); #Steps to reproduce: apt-get source dmg2img cd dmg2img-1.6.7/ make ./dmg2img ../crash ** Affects: dmg2img (Ubuntu) Importance: Undecided Status: New ** Attachment added: "dmg2img_arbitrary_OOB_read.tar" https://bugs.launchpad.net/bugs/1854231/+attachment/5308311/+files/dmg2img_arbitrary_OOB_read.tar -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854231 Title: Heap OOB read To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dmg2img/+bug/1854231/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
